#698

Author: eamonnfaherty

servicecatalog_puppet/cli.py

@@ -580,6 +580,12 @@ def setup_config(
         os.environ[
             environmental_variables.SCHEDULER_ALGORITHM
         ] = remote_config.get_scheduler_algorithm(puppet_account_id_to_use, home_region)
+    if not os.environ.get(environmental_variables.AWS_STS_REGIONAL_ENDPOINTS):
+        os.environ[
+            environmental_variables.AWS_STS_REGIONAL_ENDPOINTS
+        ] = remote_config.get_aws_sts_regional_endpoints(
+            puppet_account_id_to_use, home_region
+        )
 
 
 @cli.command()

servicecatalog_puppet/commands/bootstrap.py

@@ -254,6 +254,11 @@ def bootstrap(
                 "ParameterValue": puppet_role_path,
                 "UsePreviousValue": False,
             },
+            {
+                "ParameterKey": "AWSSTSRegionalEndpoints",
+                "ParameterValue": config.get_aws_sts_regional_endpoints(),
+                "UsePreviousValue": False,
+            },
         ],
         "Tags": [{"Key": "ServiceCatalogPuppet:Actor", "Value": "Framework",}]
         + initialiser_stack_tags,

servicecatalog_puppet/commands/task_reference_helpers/generators/spoke_local_portfolios.py

@@ -473,7 +473,6 @@ def handle_spoke_local_portfolios(
                         all_tasks_task_reference,
                         constants.CREATE_POLICIES,
                         share_and_accept_ref,
-
                     ],
                     "account_id": task_to_add.get("account_id"),
                     "region": task_to_add.get("region"),

servicecatalog_puppet/commands/task_reference_helpers/generators/spoke_local_portfolios_test.py

@@ -166,9 +166,7 @@ def test_for_accounts(self):
                 "share_tag_options": "True",
                 "task_reference": f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}",
             },
-            all_tasks[
-                f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}"
-            ],
+            all_tasks[f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}"],
         )
 
         self.assertEqual(

servicecatalog_puppet/config.py

@@ -16,7 +16,6 @@
     serialisation_utils,
 )
 
-
 logger = logging.getLogger()
 
 
@@ -242,6 +241,10 @@ def get_global_share_principals_default():
     return os.environ.get(environmental_variables.GLOBAL_SHARE_PRINCIPALS)
 
 
+def get_aws_sts_regional_endpoints():
+    return os.environ.get(environmental_variables.AWS_STS_REGIONAL_ENDPOINTS)
+
+
 def get_on_complete_url():
     return os.environ.get(environmental_variables.ON_COMPLETE_URL, "")
 

servicecatalog_puppet/constants.py

@@ -397,7 +397,9 @@
 CACHE_DOWNLOADING_ROLE_NAME = "PuppetRoleForDownloadingFromCache"
 
 SHARE_PRINCIPALS_DEFAULT = False
-
+AWS_STS_REGIONAL_ENDPOINTS_LEGACY = "legacy"
+AWS_STS_REGIONAL_ENDPOINTS_REGIONAL = "regional"
+AWS_STS_REGIONAL_ENDPOINTS_DEFAULT = AWS_STS_REGIONAL_ENDPOINTS_LEGACY
 DESCRIBE_PORTFOLIO_SHARES = "describe-portfolio-shares"
 
 SCHEDULER_ALGORITHM_DEFAULT = "topological_generations"

servicecatalog_puppet/environmental_variables.py

@@ -28,3 +28,4 @@
 SPOKE_SCHEDULER_THREADS_OR_PROCESSES = "SCT_SPOKE_SCHEDULER_THREADS_OR_PROCESSES"
 SPOKE_SCHEDULER_ALGORITHM = "SCT_SPOKE_SCHEDULER_ALGORITHM"
 GLOBAL_SHARE_PRINCIPALS = "SCT_GLOBAL_SHARE_PRINCIPALS"
+AWS_STS_REGIONAL_ENDPOINTS = "AWS_STS_REGIONAL_ENDPOINTS"

servicecatalog_puppet/remote_config.py

@@ -184,6 +184,16 @@ def get_global_share_principals_default(puppet_account_id, default_region=None):
     )
 
 
+@functools.lru_cache(maxsize=32)
+def get_aws_sts_regional_endpoints(puppet_account_id, default_region=None):
+    logger.info(
+        "getting aws_sts_regional_endpoints,  default_region: {}".format(default_region)
+    )
+    return get_config(puppet_account_id, default_region).get(
+        "aws_sts_regional_endpoints", constants.AWS_STS_REGIONAL_ENDPOINTS_DEFAULT
+    )
+
+
 def get_spoke_deploy_environment_compute_type(puppet_account_id, default_region):
     logger.info(
         "getting spoke_deploy_environment_compute_type,  default_region: {}".format(

servicecatalog_puppet/template_builder/hub/bootstrap.py

@@ -15,7 +15,7 @@
     ssm,
 )
 
-from servicecatalog_puppet import config, constants
+from servicecatalog_puppet import config, constants, environmental_variables
 
 
 def get_template(
@@ -53,6 +53,18 @@ def get_template(
             Default="No",
         )
     )
+    aws_sts_regional_endpoints_parameter = template.add_parameter(
+        t.Parameter(
+            "AWSSTSRegionalEndpoints",
+            Type="String",
+            Description="This setting specifies how the SDK determines the AWS service endpoint that it uses to talk to the AWS Security Token Service (AWS STS).",
+            Default=constants.AWS_STS_REGIONAL_ENDPOINTS_DEFAULT,
+            AllowedValues=[
+                constants.AWS_STS_REGIONAL_ENDPOINTS_LEGACY,
+                constants.AWS_STS_REGIONAL_ENDPOINTS_REGIONAL,
+            ],
+        )
+    )
     puppet_code_pipeline_role_permission_boundary_parameter = template.add_parameter(
         t.Parameter(
             "PuppetCodePipelineRolePermissionBoundary",
@@ -586,6 +598,11 @@ def get_template(
             "Name": "PUPPET_ROLE_PATH",
             "Value": t.Ref(puppet_role_path_parameter),
         },
+        {
+            "Type": "PLAINTEXT",
+            "Name": environmental_variables.AWS_STS_REGIONAL_ENDPOINTS,
+            "Value": t.Ref(aws_sts_regional_endpoints_parameter),
+        },
     ]
 
     if is_codecommit:

servicecatalog_puppet/workflow/manifest/generate_manifest_with_ids_task.py

@@ -149,6 +149,11 @@ def run(self):
                 "value": config.get_global_share_principals_default(),
                 "type": "PLAINTEXT",
             },
+            {
+                "name": environmental_variables.AWS_STS_REGIONAL_ENDPOINTS,
+                "value": config.get_aws_sts_regional_endpoints(),
+                "type": "PLAINTEXT",
+            },
         ]
 
         if "http" in version: